kola: Add --no-net flag

[cgwalters]

The Docker Hub recently decided that us pulling the nginx image
over and over many times a day was abusive and started rate limiting
us.

For OSTree's test suite at least, there's no good reason for us
to run podman's tests at all. Similarly for e.g. Ignition.

And just as a general rule I think it's useful to cleanly separate
tests that can be run fully offline from those that require
Internet access.

[sohankunkerkar]

And the CI failed due to:

--- FAIL: podman.workflow (274.41s)

    --- FAIL: podman.workflow/run (251.35s)

            cluster.go:141: Trying to pull docker.io/library/nginx...

            cluster.go:141:   too many requests to registry

            cluster.go:141: Error: unable to pull docker.io/library/nginx: unable to pull image: Error parsing image configuration: too many requests to registry

            cluster.go:162: "sudo podman run -d -p 80:80 -v /tmp/tmp.kedL9Z7bVf/index.html:/usr/share/nginx/html/index.html:z docker.io/library/nginx" failed: output , status Process exited with status 125

[sohankunkerkar]

For OSTree's test suite at least, there's no good reason for us
to run podman's tests at all. Similarly for e.g. Ignition.

+1
I've seen this error a couple of times in Ignition CI but wasn't sure about the fix. Thanks for putting up this PR.

[sohankunkerkar]

/approve

[jlebon]

Hmm actually... since this is (hopefully) temporary, maybe let's just blacklist the tests for now? That way we don't have to spread this new switch everywhere it's needed. OK, did that in: coreos/fedora-coreos-config#425.

But I agree with the motivation of this PR though.

[cgwalters]

I'm happy with the CI workaround for now, but:

My suggestion is to tag those tests with "net.dockerio.unauth" and to change the test-runner to always run the default tests (i.e. those with empty tag set) plus any tags specified on the CLI.
That could also allow us in the future to have something like "--fallible-tags" to allow soft-failures/flakes.

So far kola itself has not attached any semantic meaning to tags. I'm not opposed to that, but it'd be a notable change.

We also already have the "requires Internet" metadata on these tests note.

I also laid out a rationale why I think we want to support offline tests and not just specifically this Docker Hub issue:

And just as a general rule I think it's useful to cleanly separate tests that can be run fully offline from those that require Internet access.

To elaborate on that, all tests that require Internet are inherently flaky to some degree. Also I want to be able to e.g. run coreos-assembler while I'm on an airplane too.

(There has also been parallel discussions with enhancing the Kubernetes and OpenShift test suites to support being run disconnected, so one can validate a disconnected environment - this is particularly tricky for OpenShift's tests which talk to Github and Docker Hub and quay and...)

[lucab]

Ah, I missed the fact that RequiresInternetAccess fields are already in place. Then it looks like all relevant parties already agreed on this direction while plumbing coreos/mantle#967. I'll thus retire my comment above, sorry for the noise.

[cgwalters]

/test sanity

[jlebon]

Hmm, shouldn't we reset noNetFiltered to false before this? Otherwise once it's set to true, it'll always remain true, no? Which means it would skip every test after a networking test when --no-net is specified.

Or better yet, just move the variable declaration into the for-loop. I guess we could do the same for blacklisted too.

[cgwalters]

Oooh great catch! I'd tested that we didn't run the network tests and that other tests were run, but not that we still listed all of the tests...

[cgwalters]

Happened to still have this tab open and one thing I wanted to say here is that this is an excellent example of why we have code review - nothing would be checking today that we're silently not running some tests and it'd be painful to find later.

[jlebon]

/lgtm

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cgwalters, jlebon, sohankunkerkar

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [cgwalters,jlebon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[cgwalters]

(There has also been parallel discussions with enhancing the Kubernetes and OpenShift test suites to support being run disconnected, so one can validate a disconnected environment - this is particularly tricky for OpenShift's tests which talk to Github and Docker Hub and quay and...)

Just to xref, openshift/origin#24887